The ENCS Red Team – Blue Team training teaches anyone working with ICS or smart grids the essentials of cyber security. First security specialists from ENCS give an overview of attacks and defensive measures. Then participants experience a cyber-attack in a realistic Red Team – Blue Team exercise.  The Blue Team defend their networks, which include smart grid and ICS components, while the Red Team tries to hack it. The training:

  • Raises awareness of ICS cyber security risks
  • Provides an overview of defensive measures
  • Teaches how to detect attacks and respond to them

Benefits of Dedicated Company Trainings


A company exclusive training can offer several benefits:

  • The training is a way to start a discussion on security between the IT and OT teams. IT teams usually are concerned with the confidentiality, integrity, and availability of data. OT teams are concerned with the safety of the process under accidental errors. By letting colleagues from both sides experience a cyber incident together, they learn to understand each other’s perspectives, and that both are needed to improve the cyber security of industrial systems.
  • Being part of the Blue team is a good team-building experience, especially for teams responsible for cyber incident response. The Blue Team has to work together in a high-pressure environment to react to a cyber incident in real-time. They learn the importance of good communication in these circumstances, and how to work with limited information.
  • Management can learn about security issues in their organization from the exercise debriefing. After the exercise participants, from Red and Blue teams gather together and are asked about the lessons learned from it, and how they apply to their own organization. This often triggers a discussion of the security problems people encounter in their day-to-day work. We have found it critical for management (even those who did not participate in the exercise) to listen/participate in on this discussion, they will get a lot of information about the state of security in the organization.

The training can be given at a chosen location. Training can be provided on a location of the organization to save on travel time and costs, or they can be into an offsite event based on your needs. 

Content of the Course

The training will have a three-day schedule. The training days are divided into the following parts:

  • During the first two days, experts from ENCS will teach the participants about the cyber security risks of the Industrial Control System (ICS) Domain and how to perform several attacks and defensive measures;
  • On the third day the participants will experience a realistic cyber-attack in the Red Team – Blue Team Exercise.

The goal of this course is to raise awareness about ICS cyber security risks, to provide knowledge about attacks and defensive measures and to experience hands-on practices about cyber security within the ICS domain to the course participants. With this increased cyber security awareness, knowledge and hands-on experience, the course participants could implement this into their own organization, which could be beneficial for the security level of their organization.

The training consists out of ten classroom sessions, a strategy session & the Red team – Blue team exercise.


1. Introduction (theory)

  • Introduction of the participants and the training
  • Overview of security risks to industrial control systems based on real world examples;
  • Overview of strategies to prevent and detect cyber attacks

2. Network scanning (hands-on)

  • Detecting computers and services on a network with the nmap scanner
  • Challenges in scanning industrial networks
  • Analyzing network traffic with Wireshark to find computers in a network and understand the communication between them

3. Trends in Attacks (theory)

  • The motivation of different threat actors, from script kiddies to nation states
  • How to design systems that are not interesting for hackers to attack
  • Analysis of recent advanced cyber attacks

4. Hacking Introduction (theory including a demonstration of an attack)

  • Steps hackers take in attacking systems
  • Tools and methods used by hackers
  • Step by step demonstration how hackers can attack industrial control systems

5. Hacking Hands-on 1: Web attacks and passwords (hands-on)

  • Phishing attacks
  • Attacks against websites such as cross-site scripting (XSS) and SQL injection
  • Cracking password using John the Ripper

Web sites are found on many industrial control system components. Many PLCs and RTUs use a Web interface to provide easy configuration. Web vulnerabilities are therefore commonly found in this domain.

6. Secure Architectures (theory)

  • Concepts of secure architectures, such as segmentation, in networks and devices
  • Examples of good architectures for smart metering, electric vehicles, and substation automation

Using security requirements to procure secure components

7. More on ICS (theory)

  • Different types of industrial control systems (e.g. distributed control systems and SCADA systems)
  • Components in industrial control systems (such as RTUs and PLC) and their functions
  • Vulnerabilities commonly found in industrial control systems
  • Industrial protocols and their security

8. Exploitation (hands-on)

  • Exploiting vulnerabilities with Metasploit and Armitage
  • Steps attackers take once they have access to a system, such as creating a persistent backdoor, escalating privileges, and extracting sensitive information

9. Incident response (theory)

  • Steps in responding to a possible cyber incident
  • Analyzing what really happened during an incident
  • Containing attacks and recovering from them

10. Intrusion detection (hands-on)

  • Dealing with large numbers of alerts from intrusion detection systems
  • Distinguishing between real attacks and false alarms
  • Finding the source of an attack

11. Strategy session

  • Explanation of the rules of the Red Team – Blue Team exercise
  • Participants are split into teams and learn their objectives
  • Each team starts discussing their strategy for the exercise day
  • Teams are shown the facilities during the exercise
  • Both teams get instruction on using their systems
  • Further discussion of the exercise strategies, including tasks for different members

12. Red team – Blue team exercise

The Blue Team runs a simulated company. They have the following tasks:

  • Improve the security of the IT and industrial networks
  • Make the network architecture more secure by improving firewall rules
  • Harden systems by closing unnecessary services
  • Detect attacks on the networks
  • Provide clear evidence that incidents are cause by malicious attackers
  • Find the source of the attack and remove it
  • Keep the normal operations of the company running through the day

The Red Team plays a group of hackers. Their tasks are:

  • Enter the Blue Team’s networks and establish permanent access
  • Extract confidential information from the systems
  • Gain access to the critical industrial control systems and disrupt them

Both teams get points based on how well they perform their tasks. At the end of the day the team with the most points wins. In the exercise participants can practice skills they learned during the first two days. They can choose different roles based on what they want to learn.

13. Exercise debriefing

  • The leader of each team presents a timeline of what they did during the exercise
  • Participants in different roles are asked to share their experiences
  • ENCS exercise moderators point out what each team did well and what they could have done better

14. Lessons Learned

  • The participants formulate the biggest ICS risks of this moment
  • The participants think of Short Term and Long-Term Improvements
  • The participants think of how they can secure their own organizations better against potential cyber-attacks

Number of Participants

To perform the exercise and fill all the roles in the Red and Blue teams, at least 20 participants are required. The ideal number of participants is between 20 and 25. The maximum number is 25 participants.

Extra Information

Click here for the factsheet of the training.

Training location

The Hague or in-company.

Training dates

Trainings planned in 2020:

dates will follow asap

Training duration

The training consists of three days.

Day 1: 09:00 – 17:00

Day 2: 09:00 – 17:00

Day 3: 09:00 – 17:00

On the evening of day 1 there is a dinner to allow for networking.

Who can participate the training

The ENCS Red Team – Blue Team (RTBT) Training is for everyone working in the ICS and Smart Grid Domain and who wants to learn more about the essentials of Cyber Security.
This training will be useful for people working in among others these domains with the following job titles:
Managers (Asset management, risk management, IT/OT management), (Security) Consultants, Engineers, (Web) Developers

Costs of training

Ask for a proposal, more info or register?

click here